system services firewall policy create
Create a firewall policy entry for a network service
Availability: This command is available to cluster administrators at the admin privilege level.
system services firewall policy create command creates a firewall policy entry with the specified name and network service. This command is used both to create the first network service associated with a new firewall policy, and to add to an existing firewall policy by associating another network service with an existing policy. You can optionally specify one or more IP addresses with corresponding netmasks that are allowed to use the firewall policy entry.
You can use the network interface modify command with the
-firewall-policy parameter to put a firewall policy into effect for a given logical interface by modifying that logical interface to use the specified firewall policy.
-vserver <vserver>- Vserver Name
Use this parameter to specify the name of the Vserver on which the policy is to be created.
-policy <textpolicy_name>- Policy
Use this parameter to specify the name of the policy that is to be created.
-service <service>- Service
Use this parameter to specify the network service that is associated with the policy. Possible values include:
dns - The DNS protocol server
http - The HTTP protocol
ndmp - The NDMP tape backup protocol
ndmps - The NDMPS tape backup protocol
none - No protocol (for creating an empty policy)
ntp - The NTP protocol
rsh - The RSH protocol
snmp - The SNMP protocol
telnet - The Telnet protocol
-allow-list <IP Address/Mask>,…- Allowed IPs
Use this parameter to specify one or more IP addresses with corresponding netmasks that are to be allowed by this firewall policy. The correct format for this parameter is address/netmask, similar to "192.0.2.128/25". Multiple address/netmask pairs should be separated with commas. Use the value
The following example creates a firewall policy named data that uses the NDMP protocol and enables access from all IP addresses on the 192.0.2.128/25 subnet:
cluster1::> system services firewall policy create -policy data -service ndmp -allow-list 192.0.2.128/25
The following example adds an entry to the firewall policy named data, associating the DNS protocol with that policy and enabling access from all IP addresses on the 192.0.2.128/25 subnet:
cluster1::> system services firewall policy create -policy data -service dns -allow-list 192.0.2.128/25